AI Risk and D&O Liability: A Reference for Directors

Overview

The legal framework that governs AI risk for boards of directors did not exist as a standalone doctrine until very recently. It has been constructed, in real time, by combining four established lines of authority: the Delaware Caremark line on duty of oversight, the Marchand v. Barnhill mission-critical compliance standard, the federal securities law framework for material misstatements, and the growing body of state and federal AI-specific regulation that turns AI into a documented compliance topic. The four converge to produce a framework that puts AI oversight squarely within director fiduciary duty as of 2026.

Most boards are still operating as if AI is a management responsibility, similar to how cybersecurity was treated in 2010. That posture is rapidly becoming untenable. Cybersecurity took roughly fifteen years to migrate from "management runs it, the board occasionally hears about it" to "the board has documented oversight, named expertise, and regular committee reporting." The AI migration is moving faster — closer to a five-year arc — driven by the speed of AI-specific regulation and the velocity of related litigation.

This reference is for directors, audit committee chairs, risk committee chairs, and general counsel who advise boards. It covers the legal framework, the current state of AI-related litigation, the questions D&O underwriters are asking at renewal, and the documentation directors should require from management to discharge their oversight duty.

The Caremark framework

The duty of oversight in Delaware corporate law was established in In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). Chancellor Allen articulated that directors have an obligation to "attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists." A failure of this kind — a "good faith" failure to install an information system — was the original Caremark theory of director liability.

For nearly two decades after Caremark, the duty of oversight was treated as nearly impossible to violate. Plaintiffs almost never succeeded in pleading a Caremark claim past a motion to dismiss. The standard was so high that practitioners often described it as "the most difficult theory in corporation law."

That changed in 2019, with the Delaware Supreme Court's decision in Marchand v. Barnhill.

Marchand and mission-critical compliance

Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), arose from a listeria outbreak at Blue Bell Creameries that caused three deaths and required a national recall. Plaintiffs alleged that the Blue Bell board had failed to monitor food safety despite food safety being central to the company's operations and legal exposure — and despite documented prior warning signs.

The Delaware Supreme Court reversed the lower court's dismissal of the Caremark claim, articulating a renewed Caremark standard that practitioners now refer to as "Marchand-style" Caremark liability. The Court held that, in industries where compliance failures present catastrophic risk, directors have an affirmative duty to establish a board-level information system to monitor that compliance topic. Failure to do so — failure to even attempt oversight — constitutes bad faith and exposes directors to personal liability.

The Marchand standard rests on three elements:

1. Mission-critical compliance. The compliance topic must be central to the company's operations or legal exposure. Food safety at a food company qualifies. So does cybersecurity at most modern companies, drug safety at a pharmaceutical company, and worker safety at an industrial company.
2. Failure of oversight, not failure of decision. Marchand does not impose liability for poor decisions; it imposes liability for the absence of any decision-making infrastructure. Directors who establish reasonable information systems and monitor them in good faith are protected even if the information system fails to detect a particular incident.
3. Bad faith. The standard is bad faith, not negligence. Directors are not liable for being uninformed; they are liable for being indifferent to the obligation to be informed. The distinction is what makes Caremark survivable for well-functioning boards.

Subsequent decisions have refined and reinforced the Marchand standard. In re Clovis Oncology, Inc. Derivative Litigation (Del. Ch. 2019), Hughes v. Hu (Del. Ch. 2020), Teamsters Local 443 v. Chou (Del. Ch. 2020), and In re McDonald's Corp. Stockholder Derivative Litigation (Del. Ch. 2023) have all permitted Caremark claims to proceed past motions to dismiss, cementing the Marchand standard as a live source of director exposure.

Why AI now qualifies as mission critical

Four converging factors push AI into the Marchand mission-critical category at most public and large private companies:

1. AI-specific regulation has arrived

The Illinois Human Rights Act amendments under HB 3773 (effective January 1, 2026) impose strict liability for AI use that has the effect of subjecting employees to discrimination. The Colorado AI Act (effective February 2026) creates documentation and impact assessment requirements. The Illinois WOPR Act regulates AI in behavioral health. NYC Local Law 144 requires bias audits for automated employment decision tools. The EU AI Act imposes documentation, conformity assessment, and post-market monitoring obligations on high-risk systems. California's ADMT regulations create privacy-adjacent obligations for automated decision systems.

A regulated activity is, almost by definition, a mission-critical compliance topic for Marchand purposes. The question is no longer whether AI compliance is central to the company's legal exposure but how directors are documenting their oversight of it.

2. AI-related litigation is rising

Cornerstone Research's 2025 Securities Class Action Filings — Annual Review documents a meaningful uptick in AI-related securities class actions starting in 2023 and accelerating through 2024-2025. The cases fall into several patterns: alleged misstatements about AI capabilities ("AI washing"), alleged failures to disclose AI-related risks, and alleged failures to disclose adverse events involving AI. Stanford's Securities Class Action Clearinghouse maintains a tracker of these cases.

The presence of plaintiffs' counsel actively filing AI-related cases is itself a Marchand factor. It is direct evidence that AI compliance failures translate into shareholder harm and securities-law exposure.

3. SEC enforcement on AI disclosures has begun

The Securities and Exchange Commission has brought enforcement actions against companies for AI washing and AI-related disclosure failures. The Commission has signaled in public statements that AI disclosures will be a continuing area of focus, including in periodic reports, registration statements, and investor communications. Companies that materially misstate AI capabilities or fail to disclose AI-related risks face SEC exposure parallel to private securities litigation.

4. AI is operationally central

For most companies in 2026, AI is no longer a research and development topic. It is in the customer service workflow, the hiring workflow, the credit underwriting workflow, the clinical workflow, the cybersecurity stack, and increasingly the strategic decision-making process. AI failures translate directly into customer harm, regulatory exposure, reputational damage, and operational disruption. This operational centrality is itself a Marchand factor.

The combination is decisive. AI is regulated, litigated, enforcement-targeted, and operationally central. It meets every Marchand factor.

Recent AI-related litigation

Tracking the AI-related litigation landscape is itself a fiduciary duty for directors of public companies. The shape of cases that have been filed, settled, or proceeded past motions to dismiss informs how plaintiffs' counsel are constructing their theories and where directors face the greatest exposure.

Categories of AI-related litigation that have been filed through early 2026 include:

• AI washing securities class actions. Allegations that a company has overstated its AI capabilities or AI-driven revenue. These cases generally allege violations of Section 10(b) of the Securities Exchange Act and Rule 10b-5.
• AI bias / discrimination class actions. Allegations under Title VII, ADA, Age Discrimination in Employment Act, or state employment law that AI hiring or employment tools produced discriminatory effects. These cases typically name the employer; in some cases, the AI vendor is also named.
• AI-driven consumer protection class actions. Allegations under state UDAP statutes that AI features were deceptively marketed or harmed consumers (e.g., AI mental health apps in states with WOPR-style frameworks, AI advisors in states with adviser-licensing regimes).
• Caremark derivative actions. Allegations that directors failed in their oversight duty, leading to AI-related harm. Few have been filed to date but several are expected in 2026-2027 as plaintiffs adapt the Marchand theory to specific AI failures.
• Privacy class actions involving AI training data. Allegations under BIPA (Illinois), CCPA (California), and similar state privacy laws that AI training data was collected without proper consent or notice.

The trajectory is clear. AI is becoming, like cybersecurity and data privacy before it, a recurring source of class-action and derivative litigation. Boards that fail to document AI oversight are accumulating exposure that will surface when an incident hits.

What D&O underwriters are asking

D&O insurance is the practical pressure point that is forcing boards to act. Underwriters at AIG, Chubb, Travelers, and the Lloyd's syndicates are systematically asking AI-related questions at renewal. Companies that cannot answer them face material premium increases, AI-specific exclusions, sublimits, or reduced coverage.

Typical 2026 renewal questionnaire topics include:

• Does the company have a documented AI governance policy?
• Which board committee has primary oversight of AI compliance?
• How frequently does the committee receive AI compliance reports?
• Does the company maintain an inventory of AI systems used internally and in customer-facing products?
• Has the company conducted disparate-impact testing on AI tools used in employment decisions?
• How is the company responding to specific state AI laws (Illinois HB 3773, Colorado AI Act, NYC LL 144)?
• Has the company experienced any AI-related incidents, customer complaints, regulatory inquiries, or litigation?
• Does the company maintain a vendor due diligence process for third-party AI tools?
• Has the company obtained independent advisory review of its AI compliance posture?
• What disclosure controls govern AI-related statements in periodic reports and earnings calls?

Companies that answer these questions affirmatively, with documentation, secure renewals at favorable terms. Companies that cannot face the consequences described above. The renewal questionnaire has become the most direct mechanism by which D&O underwriting pressure is operationalizing AI governance at scale.

Documentation directors should require

Discharging the duty of oversight requires documented evidence of that oversight. Six categories of documentation should be in place and reviewed by the relevant board committee at appropriate intervals:

1. Board-approved AI governance policy

A formal policy, approved by the board or the appropriate committee, that articulates the company's principles for AI development, deployment, and oversight. The policy should reference applicable laws and frameworks (NIST AI RMF, ISO/IEC 42001, EU AI Act, relevant state laws), define roles and responsibilities, and establish escalation paths.

2. AI inventory

A current and maintained list of every AI system used by the company — internally and in customer-facing products — with classification, vendor, business owner, and risk tier for each. Reviewed and updated at least quarterly.

3. Compliance posture by jurisdiction

A documented summary of how the company is meeting its obligations under each applicable AI-specific regulation (Illinois HB 3773, Illinois WOPR Act, Colorado AI Act, NYC LL 144, California ADMT, EU AI Act, etc.). Updated as regulations are amended or new obligations take effect.

4. Vendor due diligence records

Documentation of due diligence performed on each third-party AI tool used in regulated workflows. The records should show what questions were asked, what answers were received, and how discrepancies were resolved.

5. Incident log

A record of AI-related incidents, customer complaints, regulatory inquiries, and remediation actions. Reviewed by the appropriate committee on a recurring schedule.

6. Quarterly committee report

A standing agenda item for the relevant committee (audit, risk, technology) covering AI compliance posture, regulatory developments, incidents, and any matters requiring board attention. The committee minutes should reflect substantive discussion of these reports.

These six categories are the documentary backbone of AI oversight. When a Caremark claim is eventually filed against an AI-related failure, the existence and quality of this documentation will be the central question.

Committee structure for AI oversight

There is no single right answer to the question of which board committee should oversee AI compliance. Three structural choices are common, each appropriate for different company profiles:

Audit committee oversight

Appropriate when AI compliance is treated primarily as a regulatory and financial reporting issue. The audit committee already has primary responsibility for compliance oversight; AI fits naturally as one of the compliance topics under its purview. Most US public companies in 2026 use this structure.

Risk committee oversight

Appropriate at financial institutions and other regulated industries that already maintain a board risk committee. AI risk aligns naturally with credit, market, operational, and cybersecurity risks. The risk committee structure also fits well when the company is subject to extensive sector-specific regulation (banking, insurance, healthcare).

Technology or AI committee oversight

Appropriate when AI is a strategic priority for the company, requires more frequent and substantive board attention than the audit committee can provide, or when the company has substantial AI exposure across multiple business lines. A standalone committee signals to investors, regulators, and underwriters that AI is being treated with the seriousness it warrants.

Whichever structure is chosen, the choice should be deliberate, documented in the committee charter, and reflected in the proxy statement. Splitting AI oversight across multiple committees without clear delineation tends to produce gaps; consolidating under one committee with cross-references to others tends to work better in practice.

Practical steps for directors

For a director who reads this and concludes their board needs to act, the practical sequence is:

Step 1 — Place AI on the board agenda

The first board or committee meeting after this review should include a substantive AI agenda item, not a passing reference. The minutes should reflect the discussion. This single act establishes the foundation that AI is being treated as a board matter.

Step 2 — Request a current-state assessment from management

Direct management to produce, within 60-90 days, a written current-state assessment of the company's AI use and compliance posture. The assessment should cover the six documentation categories above. Management's first draft will likely surface gaps; that is the point.

Step 3 — Determine the committee structure

Decide which committee will have primary AI oversight. Update the committee charter to reflect the responsibility. Update the proxy statement at the next annual meeting.

Step 4 — Establish a recurring reporting cadence

The relevant committee should receive AI compliance reports at least quarterly, with annual deep reviews. Committee minutes should document substantive engagement with the reports.

Step 5 — Consider independent advisory review

Especially in regulated industries or following the company's first AI-related incident, consider engaging an independent advisor to review the AI compliance posture. The deliverable serves three audiences simultaneously: the board (oversight discharge), the D&O underwriter (renewal documentation), and counsel (defense file in the event of a claim). See the Multi-Jurisdictional Review or AI Compliance Diagnostic services for the kind of work that fits this purpose.

Step 6 — Address D&O coverage at renewal

Engage the D&O broker early — at least 60-90 days before renewal — with the documentation produced in Steps 1-5. Use the documentation as the basis for negotiating favorable terms, pushing back on AI-specific exclusions, and preserving full coverage for AI-related claims.

---

This article was last reviewed on May 9, 2026. AI-related litigation, SEC enforcement, and D&O underwriting standards are evolving rapidly; the article will be updated quarterly. Directors and committee chairs evaluating AI oversight posture may also find the Board & Committee Briefings service useful as a way to develop board-level fluency on these issues. The Illinois AI Legislative Ecosystem tracker maintains real-time tracking of state and federal AI regulatory developments that drive the analysis above.